Tuesday, March 19, 2013

32 AntiVirus versus the latest Java Exploit (CVE-2013-1493)

Image a scenario where someone wants to target your computer to get access to your files. This task can be accomplished in several ways and one of them is using a java exploit on a crafted/compromised website.

What i want to test is how AntiVirus manage "unknown" threads or forbidden behavior (an unsigned applet shouldn't be allowed to download files to your local disk).

This test is based on basic/home/free products like Symantec AntiVirus and not Symantec Internet Security which has more features. Some companies provide only Internet Security suites so this cannot be a fully comparison between these products.

I tried to test all AntiVirus in this list but i came out with only 32, because some of them don't provide a free trial and the others i was unable to find it or install it. The important thing is that i covered all major/popular AntiVirus.

Testing machine is a Windows 7 SP1 32 bit fully patched on Virtualbox with Java SE 7 update 15 and as browser Firefox.

The exploit is CVE-2013-1493 not obfuscated that after a successfully exploitation tries to download from a remote host to temp directory hello.jpg , after that the is renamed to hello.exe and executed using cmd "cmd /C 'temp_path\hello.exe'".

The executable just prompt "Hello Malware".

I decided to run this executable instead of the classic calculator because some AntiVirus have cloud based reputation service and since this is an unknown file dropped by java (like malware) they should prompt some warning.

Maybe someone of you will say "this is not a malware, of course av doesn't block it", what i want to test here is the software against the java exploit not about malicious executable detection, because this is another story.

Developers of chk4me claim to not send uploaded files to AntiVirus companies so this is the right place to check the exploit before the test.

To be more clear i made this table where i report the "score" obtained by the AntiVirus against CVE-2013-1493.

I used this scale of values:
  • 0 = Exploit and "malicious" exe executed successfully
  • 1 = Exploit executed successfully but "malicious" exe not executed or sandboxed
  • 2 = Exploit blocked/not executed
AntiVirus Name Score
Ad-Aware Free Antivirus+0
AVG Antivirus Free 20130
Avira Free Antivirus 20130
Bitdefender Antivirus Free Edition0
Quick Heal Antivirus Pro 20130
Immunet 3.00
Dr.Web Anti-virus Pro0
ESET NOD32 Antivirus 60
FortiClient Endpoint Security Management0
F-PROT Antivirus0
F-Secure Anti-Virus0
G Data AntiVirus 20130
IKARUS anti.virus0
Kingsoft Internet Security 90
Malwarebytes Anti-Malware Free0
McAfee AntiVirus Plus 20130
Microsoft Security Essentials0
NANO Antivirus0
Norman Antivirus 100
Outpost Antivirus Pro0
Panda Cloud Antivirus0
Rising Free Antivirus0
VIPRE Antivirus 20130
VirusBuster Personal Antivirus0
ArcaVir 2013 Antivirus1
Avast! Free Antivirus1
Comodo Antivirus Free1
Emisoft Anti-Malware 7.01
Trend Micro Titanium Antivirus Plus1
Kaspersky Anti-Virus 20132
Norton AntiVirus2
Sophos Anti-Virus2

Summarizing the results:
  • 24 (75 %) don't detect the exploit neither the executable 
  • 5 (16 %) don't detect the exploit but they warn you about the executable
  • 3 (9 %) detect the exploit. 
Looking only the exploit, 91 % don't detect it and 9 % are able to block it.

There were some cases where i was undecided between the score 1 or 2, like the case of ArcaVir. When an applet tries to contact another domain ArcaVir prompt you an alert, however its not saying "this is an exploit and i block it" but "hey, this applet is trying to connect to this domain, what you wanna do ?". For this reason i opted for a score of 1 instead of 2.

Symantec surprised me because a couple of months ago didn't detect any java exploit and now they block it all, maybe they have decided to improve their basic software after the Wall Street Journal story.

As last thing here is the video, maybe you will find it boring but you can see how several antiviruses handles a java exploit.